Currently, some conventional malware detection systems are configured to monitor activities associated with a process. Upon detecting an anomalous event associated with one or more of these activities, the whole process is determined to be tainted and is identified as being potentially malicious. Subsequent analysis of the process in efforts to determine which activities, if any, are malicious may be quite difficult, especially where the process performs thousands of activities and produces hundreds of anomalous events.
For instance, malware utilizing code-injection techniques typically targets a well-known system process (e.g., an executable such as Internet Explorer®, winlogon.exe, etc.). Such targeted processes are often computationally intensive as these processes may perform thousands of activities per second, where hundreds of events may be considered to be anomalous during run time. The results produced by a selected process that is executing a targeted object for analysis may yield an excessive number of anomalous events, where some (and perhaps a high percentage) of these anomalous events may constitute false positives. Hence, this conventional process monitoring scheme has accuracy concerns as the presence of a large number of anomalous events may dilute the accuracy of reports generated by the malware detection system and may obfuscate real malicious activity among those activities that may appear to be malicious but are benign.